How to parse Windows DNS debug logs with Logparser for VIRUS (eg WannaCRY)

In this article I share a powershell script that will help to identify infected WannaCRY PCs and other botnet in your network. With the help of MS Logparser you can very quickly check the debug log files of windows-dns.

Download powershell script

1. At first enable DNS debug log on all dns-servers
- set limit for file size
- set same path (for script)

2. Install on the PC from which you run the script Logparser

3. For script you have to set
- servers
- domains
- homefolder
- file's path with dns debug logs
- email server (anonymous smtp)
- user email

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056

# Set variables $HomeFolder = "D:\Scripts" cd $HomeFolder if (!(test-path "$HomeFolder\Logs")) {New-Item -ItemType directory -Path "$HomeFolder\Logs"} $LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" $Servers = @("dc1.blogspot.com","dc2.blogspot.com","dc3.blogspot.com") $VirDomains = @("iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea","ifferfsodp9ifjaposdfjhgosurijfaewrwergwea","ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf","pingdavinci","wizardtesla","archimedus") $msg = new-object Net.Mail.MailMessage $msg.From = "myscript@blogspot.com" $msg.To.add("i-evgeny@blogspot.com") $msg.Subject = "Virus DNS Parser" $SMTPServer = "smtp.blogspot.com" $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) $LogTime = Get-Date -Format "yyyy-MM-dd_hh-mm-ss" $LogFile = $HomeFolder + '\Logs\'+"parser_vir_"+$LogTime+".log" # Logparser query $VirDomains_str = "" $i = 1 foreach ($v in $VirDomains) {     if ($i -eq "1") {     $VirDomains_str = "field15 LIKE '%$($v)%' OR field16 LIKE '%$($v)%'"     } else {     $VirDomains_str += " OR field15 LIKE '%$($v)%' OR field16 LIKE '%$($v)%'"     }     $i++ } $DCs_str = "" $i = 1 foreach ($d in $Servers) {     if ($i -eq "1") {     $DCs_str = "\\$($d)\c$\Scripts\Logs\Queries.log"     } else {     $DCs_str += ",\\$($d)\c$\Scripts\Logs\Queries.log"     }     $i++ } $query = """SELECT * INTO $($LogFile) FROM $DCs_str WHERE $VirDomains_str""" $LogParserStr = "-i:TSV -iSeparator:space -nFields:16 -headerRow:OFF -nSkipLines:30 -o:csv " + $query $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow Start-Sleep -s 15 $Result = import-csv $LogFile # Send alert     if ($Result) {         $vir_ip = $result | select field8 -Unique         $msg.Body = "$($vir_ip.field8)"         $att = new-object Net.Mail.Attachment($LogFile)         $msg.Attachments.Add($att)         $SMTPClient.Send($msg)     }

4. Schedule a task (eg every 1 hour), runas account must have read permission for DNS Debug files